Hacker News new | past | comments | ask | show | jobs | submit login

Why? Alpine is the de-facto standard for minimal containers. I had never heard of Red Hat UBI before, what does it bring to the table?



Alpine uses musl, which has on a few occasions led to weird and hard to reproduce bugs. Even though using musl saves a few megabytes of bloat, IMO it's not worth the headaches. Especially since some of the "bloat" in glibc is highly performant inline assembly. Plus if you're consistent about using an alternative base imagine like the slim debian/ubuntu ones, the extra storage should be more or less a constant


Alpine's DNS resolver behaves differently than glibc (in particular it ignores the `ndots` option) which can lead to DNS query amplification. In Kubernetes clusters this can be taxing on the kube-dns service and lead to cluster reliability issues around DNS lookups.


Correcting myself above: This is not the problem; the problem is that musl-libc (1) does parallel queries which can be problematic under certain circumstances; and (2) handles NXDOMAIN/NODATA responses differently than glibc does which can lead to DNS resolution failures that wouldn't happen otherwise. There's a workaround to set `ndots:1` but that causes other problems with musl since it doesn't append search domains on retries. It's just a big mess.

There's big discussion of it here: https://github.com/kubernetes/kubernetes/issues/33554


That sounds like a bug that should be reported to the alpine docker image maintainers. If not already that is...


Alpine produces minimal images, that is correct. But RedHat is a lot faster on releasing security fixes.


Because Red Hat is way faster and fixing security issues as it's based off RHEL




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: